b'                 REPORT ON THE AUDIT OF NETWORK\n                     REMOTE DIAL-IN SECURITY\n\n\n\n                        TABLE OF CONTENTS\n\n\n                                                             Page\nEXECUTIVE DIGEST ...........................................    1\n\n\nAUDIT OBJECTIVE ............................................     4\n\n\nAUDIT SCOPE ................................................     4\n\n\nBACKGROUND .................................................     4\n\nFINDING - The Commission Has Not Adequately Secured The\n          Network Remote Dial-In Capability\n\n     o Details of Finding ..................................     7\n     o Recommendations .....................................     11\n\nAPPENDIX 1 -   Audit Team and Acknowledgements\n\nAPPENDIX 2 -   Audit Methodology\n\nAPPENDIX 3 -   October 18, 1996 report entitled "Flash Report on\n               Vulnerabilities Identified during our Review of\n               Remote Dial-In Security"\n\nAPPENDIX 4 -January 10, 1997 report entitled "Audit Of The\n               Federal Communications Commission (FCC) Remote\n               Dial-In Capability" prepared by TWM Associates,\n               Inc. reporting the detailed results of Remote\n               Dial-In Testing\n\nAPPENDIX 5 -Managing Director\'s Response to the Draft Audit\n               Report\n\x0cEXECUTIVE DIGEST\n\nIn 1992, the Commission engaged in an agency-wide effort to\nmodernize its automated information systems. The goal of the\nprogram, entitled "Information Systems Modernization (ISM)", was\nto "replace the Commission\'s obsolete IRM [Information Resource\nManagement] equipment and systems with an entirely new\ninformation systems architecture to meet our mission needs."\nMany objectives were envisioned including "easier access to all\ndatabases and greatly enhanced ability to retrieve and to\nmanipulate data to support regulatory and administrative\ndecisions" and "widespread use of electronic mail and bulletin\nboards for dissemination of information, exchange of documents,\nand communications within the Commission and with the public."\nTo accomplish these objectives, the Commission moved from a\ncentralized mainframe processing environment to a distributed\nnetwork-based processing environment.\n\nSince 1992, the Commission has made tremendous strides in\nimplementing the distributed networked environment which existed\nonly on paper at that time. In fact, the rapidity of changes in\ncomputers have resulted in accomplishments beyond those\noriginally anticipated. For example, the introduction and\nencouraged use of the Internet as a means of distributing\ninformation has greatly reduced the need for bulletin boards as\noriginally envisioned. However, along with the benefits that\nhave clearly been derived from the Commission\'s conversion to a\ndistributed environment, have come increased risks. The major\nrisk to networked environments such as the Commission\'s is an\nunauthorized user gaining access to the network or an authorized\nuser accessing inappropriate network resources.\n\nAs part of our ongoing efforts to ensure the security of the\nCommission\'s network, the Office of Inspector General (OIG),\nworking closely with the office of the Associate Managing\nDirector - Information Management (AMD-IM), has conducted an\naudit of network remote dial-in security. To conduct this\nreview, the OIG contracted with the computer security firm of TWM\nAssociates, Inc. (hereafter referred to as "TWM") to provide\ntechnical support.\n\nThe FCC Wide Area Network (WAN) supports remote access using a\ncentralized modem pool, Novell\'s GroupWise Remote and Symantec\'s\nPcAnywhere for Window\'s communication software, and standard\nphone service. Depending on the type of communication software\ninstalled, modem pool users can do everything from checking e-\nmail to accessing databases. In addition, access to the network\ncan be gained using stand-alone modems and analog phone service.\n This method of access includes both known entry points (modems\npurchased and distributed by AMD-IM) and unknown entry points\n(modems purchased and installed without AMD-IM\'s knowledge). The\n\n\n\n                                1\n\x0cobjective of this task was to evaluate the current security\nconfiguration of modem pool dial-in security and, as needed,\ndefine an enhanced security posture. An additional objective was\nthe identification of unknown dial-up entry ports supporting\nstand-alone modem access (i.e.,"rogue" modems), an assessment of\nthe security of those ports, and the identification of\nalternatives for securing those ports (please refer to figure 1\nbelow).\n\n\n\n\n  figure 1 - Series of stand-alone modems collected from network hub rooms\n\nDuring our review, we determined that the Commission\'s network is\nvulnerable to compromise via remote dial-in. In fact, during\ntesting the audit team was able to gain access to the network and\ncompromise a limited number of components. In our  opinion, given\ntime and using readily available automated tools1, the audit team\ncould have compromised additional components of the network and\n   1\n       The audit team chose not to use these tools because of concerns about\n              compromising network integrity. In addition, testing the logical\n              security of internal network components was not an objective of\n              this review.\n\n\n\n\n                                       2\n\x0caffected its overall integrity, confidentiality, and\navailability. Due to the severity of the specific condition\nidentified during testing, the OIG issued a report entitled\n"Flash Report on Vulnerabilities Identified during our Review of\nRemote Dial-In Security" during the audit. A copy of the flash\nreport is included as Appendix 3 to this report.\n\nIn addition to the specific vulnerabilities identified in our\nflash report, we determined that Commission equipment and\ntelecommunication inventory records do not accurately reflect\ndistributed modems; telecommunications resources are not\nphysically secured; selected network components are not properly\nconfigured and administered to ensure secure use; and security\nviolation logs are not adequately monitored.\n\nAs we have stated, the Commission has become increasingly\ndependent upon its automated systems. Interruption to services\nprovided by the network, which include access to databases, e-\nmail, and the Internet, would be extremely disruptive to the\nCommission. Loss of the network would have an immediate and\nprofound effect on employee productivity and would impact the\nCommission\'s ability to service its customers. For example, the\ne-mail system could be disabled, information available on\nCommission databases could not be retrieved, or distribution of\npublic information could be hampered. Strong controls over the\nnetwork remote dial-in capability, particularly over "rogue"\nmodems, help create a secure environment and reduce the risk of\nthese scenarios.\n\nDetailed information about the methodology used, specific\nconditions identified, and other sensitive material collected in\nthis review is included in a series of appendices attached to\nthis report. Those appendices containing sensitive information\nare hand stamped "SENSITIVE" and will be distributed only to\nthose personnel with a need for the information. Those personnel\nreceiving these appendices are requested not to photocopy or\notherwise distribute this material.\n\n\n\n\n                                3\n\x0cAUDIT OBJECTIVE\n\nThe Federal Communications Commission (FCC) has established\naccess to the internal Wide Area Network (WAN) through remote\ndial-up connectivity allowing FCC users to access the network\nfrom remote locations using laptop or stand-alone personal\ncomputers via a centralized modem pool. The objective of this\naudit was to evaluate the current security configuration of this\ndial-in capability and, as needed, define an enhanced security\nposture for the existing configuration. An additional objective\nwas the identification of unknown dial-up entry ports (supporting\nstand-alone "rogue" modems), an assessment of the security of\nthose ports, and the identification of alternatives for securing\nthose ports.\n\nAUDIT SCOPE\n\nThe audit was conducted in accordance with Generally Accepted\nGovernment Auditing Standards and included such analysis,\ninterviews and testing as required to support the audit findings.\n\nThe scope of this review included all components of the\nCommission\'s WAN, however, our review of field office components\nwas limited to telephone interviews and did not include a\nphysical observation of the automated environment. In addition,\nour review did not include an assessment of Integrated Services\nDigital Network (ISDN) modems. At the time of our review, the\nCommission was testing a limited number of these modems.\n\nAudit fieldwork included interaction with most Commission Bureaus\nand Offices and was performed from September through November\n1996.\n\nBACKGROUND\nOn December 24, 1985, the Office of Management and Budget (OMB)\nissued Circular No. A-130. This Circular provides a general\npolicy framework for management of Federal information resources.\n The Circular implements provisions of the Paperwork Reduction\nAct of 1980 as well as other statutes, Executive Orders, and\npolicies concerning general information policy, information\ntechnology, privacy, and maintenance of Federal records. In\naddition, the Circular places specific responsibility on the head\nof each agency to "(e)nsure that the information policies,\nprinciples, standards, guidelines, rules and regulations\nprescribed by OMB are implemented appropriately within the\nagency."\n\nAppendix III to OMB Circular No. A-130, entitled "Security of\nFederal Automated Information Systems", establishes a minimum set\nof controls to be included in Federal automated information\n\n\n\n                                4\n\x0csystems security programs.   The appendix specifically requires\nthat agencies shall:\n\na.Assure that there are appropriate technical, personnel,\n     administrative, environmental, and telecommunications\n     safeguards in automated information systems;\n\nb.Assure the continuity of operations of automated information\n     systems that support critical agency functions;\n\nc.Implement and maintain an automated information systems\n     security program, including the preparation of policies,\n     standards, and procedures;\n\nd.Assure that an appropriate level of security is maintained at\n     all information technology installations operated by or on\n     behalf of the Federal Government.\nOn January 8, 1988, the President signed the Computer Security\nAct of 1987 into law. The purpose of the law was to recognize\nthat "improving the security and privacy of sensitive information\nin Federal computer systems is in the public interest." The law\n"creates a means for establishing minimum acceptable security\npractices for such systems, without limiting the scope of\nsecurity measures already planned or in use."\n\nThe Commission\'s network remote dial-in capability is currently\nprovided via a centralized modem pool and a special FCC-modified\nversion of Symantec\'s Norton PcAnywhere for Windows and Novell\'s\nGroupWise Remote product (please refer to figure 2 on page 6).\nBased upon a July 1996 survey conducted by the Office of the\nAssociate Managing Director - Information Management (AMD-IM),\nthere are three-hundred fifty-one (351) potential Groupwise\nRemote users (i.e., users who have requested Groupwise Remote for\ntheir home personal computers). In addition to the AMD-IM\ncontrolled modem pool, there are an unknown number of additional\nanalog and Integrated Services Digital Network (ISDN) modems\ninstalled by end-users (please refer to figure 1 on page 2).\n\n\n\n\n                                 5\n\x0cfigure 2 -Close-up of the centralized modem pool maintained in the Commission\n            computer room in the 1919 M Street facility\n\n\n\n\n                                      6\n\x0cFinding - The Commission Has Not Adequately Secured The Network\n          Remote Dial-In Capability\n\nDuring our review, we determined that the Commission has not\nestablished effective controls to ensure the security of the\nnetwork remote dial-in capability. For example, we determined\nthat Commission equipment and telecommunication inventory records\ndo not accurately reflect distributed modems; telecommunications\nresources are not physically secured; selected network components\nare not properly configured and administered; and security\nviolation logs are not adequately monitored.\n\nInadequate controls over the network remote dial-in capability\nthreaten the viability of the network by increasing the risk of\ninappropriate access. During our review, we determined that the\nCommission\'s network is vulnerable to compromise via remote dial-\nin. In fact, during testing the audit team was able to gain\naccess to the network and compromise a limited number of\ncomponents. In our opinion, given time and using readily\navailable automated tools, the audit team could have compromised\nadditional components of the network and affected its overall\nintegrity, confidentiality, and availability. Due to the\nseverity of the condition and to ensure a timely response, the\nOIG issued a "Flash Report." A copy of the flash report,\nentitled "Flash Report on Vulnerabilities Identified during our\nReview of Remote Dial-In Security" and dated October 18, 1996, is\nincluded as Appendix 3 to this report.\n\nRequirements For Securing The Remote Dial-In Capability Are Well\nEstablished In Government, Industry And Commission Standards\n\nThe requirements for securing network connectivity are well\nestablished in Government and industry standards. Office of\nManagement and Budget (OMB) Circular No. A-130, entitled\n"Management of Federal Information Resources", establishes a\nminimum set of controls to be included in Federal automated\ninformation systems security programs. The Circular states that\nagencies shall "assure that there are appropriate technical,\npersonnel, administrative, environmental, and telecommunications\nsafeguards in automated information systems" and that agencies\n"assure the continuity of operation of automated information\nsystems that support critical agency functions."\n\nIn December 1990, the Institute for Internal Auditors published\nthe Systems Auditability and Control Report, hereafter referred\nto as the "SAC Report." The SAC Report is the result of a major\nresearch project conducted by top professionals in the\ninformation systems audit profession and provides comprehensive\nguidance on information technology and information systems\nauditing. Requirements for network remote access controls are\nrecognized in several modules of the SAC Report. In module\n\n\n\n                                7\n\x0ceight, entitled "Telecommunications", the SAC Report recognizes\ndial-in security as a "major means of network control" to\n"prevent an unauthorized user from gaining access to the network\nthrough a combination of hardware, software, and physical\nsecurity." The module goes on to state that "(t)he likelihood of\nan unauthorized user accessing the network through the telephone\nline is directly related to the ease of determining the network\nport\'s telephone number, the costs incurred while attempting this\naction, and the effectiveness of logical security barriers. When\nthe network access number is easy and inexpensive to obtain and\nlogical security controls are inadequate, the possibility that an\nunauthorized user will attempt to breach network security is\nrelatively high" (emphasis added). In fact, these conditions\nwere identified during our testing of remote dial-in security.\n\nFCC Directive 1479.1, entitled "FCC Computer Security Program"\nand dated November 30, 1995, establishes a framework of\nguidelines for remote dial-in at the Commission. The directive\nstates that the "guidelines should be considered by FCC users and\nAMD-IM Network Administrators to facilitate secure dial-in/out\ncommunication with FCC computer systems." The following\nguidelines are provided:\n\n     \xc2\xb7Dial-in ports should be protected from unauthorized access;\n\n     \xc2\xb7Dial-in to FCC computer systems must only occur through\n          entry points approved by AMD-IM;\n\n     \xc2\xb7Updates and changes in system communication hardware and\n          software should be tested thoroughly to prevent\n          unintentional access exposures;\n\n     \xc2\xb7Controls should be established to ensure remote users are\n          positively identified and authenticated before\n          connection to the network is authorized. Further,\n          remote system(s) access using Guest accounts must be\n          prohibited; and\n\n     \xc2\xb7Reasonable care should be taken to protect communication\n          equipment and telecommunications cables from\n          unauthorized access. Any installation or adjustment of\n          communication equipment must be coordinated through\n          AMD-IM, NMD [Network Management Division] in advance.\n\nIn our opinion, these guidelines present a solid framework for\nmanaging network remote dial-in security. The audit team found\nlittle evidence of the implementation of these controls during\nour review.\n\nCommission computer equipment and telecommunications inventory\nrecords do not accurately reflect distributed modems\n\n\n\n                                8\n\x0cAs part of our review of remote dial-in security, we obtained and\nreviewed copies of computer equipment and telecommunication\ninventory records. Using these records, the audit team conducted\na physical survey of Commission work space. The objective of the\nsurvey was two-fold. The first objective was to locate modems\nand the second objective was to assess the accuracy of inventory\nrecords. During the review, we located numerous modems which did\nnot have FCC inventory tags and which were not reflected in the\nequipment inventory.\n\nTelecommunication inventory records identify both ISDN and analog\nphone lines. In general, ISDN lines support Commission voice\nservice and analog lines support fax machines, secure phones, and\nmodem resources. The audit team obtained an automated copy of\nthe telecommunication inventory records and developed a report,\nsorted by physical location, of analog lines. In addition to\nphysically tracing analog phone lines to test accuracy, the audit\nteam used "war dialer" software to call several thousand\nCommission extensions. As a result of this testing, the team\nidentified numerous modems which were not accurately recorded in\ntelecommunications inventory records. Detailed results of our\ntesting is provided in Appendix 4 of this report.\n\nTelecommunications resources are not physically secured\n\nIn March 1994, the OIG issued an audit report entitled "Report on\nthe Audit of Physical Security of the Local Area Network." In\nthat report, the OIG reported weaknesses in the physical security\nof areas, including telephone closets used for vertical cabling,\n where critical network components are stored. In that report,\nwe recommended that steps be taken to ensure that these areas are\nsecured. In March 1996, the OIG issued an audit report entitled\n"Report on the Follow-Up Audit of Physical Security of the Local\nArea Network." In that report, the OIG reported that weaknesses\nin physical security in areas where critical network components\nare stored continue to exist and recommended that steps be taken\nto ensure that these areas are secured.\n\nAs part of our review of remote dial-in security, we conducted a\nphysical survey of Commission work space in the Washington, DC\narea and at the Gettysburg, PA. facility. The Washington D.C.\nlocations included:\n\n          \xc2\xb72000   L Street\n          \xc2\xb71919   M Street\n          \xc2\xb72000   M Street\n          \xc2\xb72025   M Street\n          \xc2\xb72033   M Street\n          \xc2\xb72100   M Street\n          \xc2\xb71250   23rd Street\n\n\n\n                                9\n\x0cDuring our review of work space in the Washington, DC. area we\nidentified several phone closets containing both\ntelecommunications wiring and network cabling which were not\nphysically secured. In addition, we identified numerous ISDN\nhandsets (telephones) stored in these unsecured areas. These\nISDN handsets are valued from $500 to $800 per unit.\n\nSelected Network Components Are Not Properly Configured\n\nAs part of our assessment of remote dial-in security, we used\n"war dialer" software, as well as computer equipment and\ntelecommunication inventory records, to identify network ports\nsupporting remote communication. Following identification, we\nconducted off-site tests to assess the security of those ports.\nStandard login procedures were used in an attempt to "break into"\nthe system. In addition to assessing these ports, we evaluated\nsecurity of the modem pool supported by AMD-IM.\n\nDuring testing, we identified several weaknesses in the\nconfiguration of network components. For example, we were able\nto compromise a network component that was configured to allow\nGUEST logins. Using this component as an attack platform, we\nwere able to compromise additional network equipment which\nallowed GUEST login. In addition, we identified network\ncomponents which were not configured to require userids and\npasswords. In our opinion, this equipment could have been\n"captured" by the audit team by simply establishing a User ID and\npassword. The result would have been the inability of network\nmanagement personnel to gain access to this equipment. Detailed\nresults of our testing is provided in Appendix 4 of this report.\n\nSecurity Violation Logs Are Not Adequately Monitored\nAs reported in the previous finding, we conducted off-site\ntesting of identified network ports supporting remote dial-in.\nInitially, the testing was conducted after Commission business\nhours to reduce the likelihood of identification by network\nmanagement personnel. However, after several successful attacks\nagainst the network, the team decided to conduct testing openly\nduring business hours. Our intent in conducting tests during\nbusiness hours was to assess the degree to which network\nmanagement personnel were able to review security logs and report\nsecurity incidents in a real time manner. Our testing indicated\nthat security violation logs were not being adequately monitored.\n\nRemote Dial-In Security Weaknesses Threaten Network Viability\n\nInadequate remote dial-in security increases the risk of\ninappropriate access and threatens the availability, integrity,\nand confidentiality of information on the network. During our\n\n\n\n                               10\n\x0ctesting, we demonstrated the vulnerability of the network to\ninappropriate access by remote dial-in. After successfully\ncompromising one inappropriately configured computer, the audit\nteam was able to attack and compromise several additional network\ncomponents. In our opinion, the audit team gained enough\nprivilege to compromise components of the network and affect its\noverall integrity, confidentiality, and availability.\n\nRecommendation for Corrective Action 1 of 3\n\nThe Managing Director implement and enforce the remote dial-in\nguidelines established in FCC Directive 1479.1, entitled "FCC\nComputer Security Program." In addition, the Managing Director:\n(1) conduct a complete inventory of Commission modems and adjust\ninventory records to reflect this action; (2) require\njustification for the use of each modem identified; (3) assess\nthe security and operational requirements of each modem for which\na valid requirement exists; (4) remove modems for which no valid\nrequirement exists; and (5) establish a program for periodically\ntesting modems to ensure that an acceptable level of network\nsecurity is maintained.\n\nRecommendation for Corrective Action 2 of 3\nThe Managing Director take steps to physically secure areas where\ncritical telecommunications resources are stored.\n\nRecommendation for Corrective Action 3 of 3\n\nThe Managing Director address the specific conditions reported in\nAppendix 42. In addition, the Managing Director examine all\nnetwork components to ensure that: (1) all components employ\nunique individually assigned userids and passwords; (2) adequate\nsecurity features including password files and audit files are\nimplemented and protected; and (3) access to sensitive\ncommunication applications be limited. Furthermore, the Managing\nDirector direct network management personnel to establish a\nprogram for daily review of security incident logs.\n\nManagement Response\nThe Managing Director concurred with the report results and\nprovided specific comments about selected conditions identified\nduring the review. With respect to our finding of Guest account\nlogin with no password, the Managing Director reports that this\ncapability has been disabled. In addition, the Managing Director\n   2\n       Because of the sensitive nature of the material contained in this document,\n               copies will only be distributed to those personnel with a need for\n               the information.\n\n\n\n\n                                         11\n\x0creports that two components accessed during the review,\n"Maglink1" and "Maglink2", are "bridges which were previously\nused to support network connectivity" and that "these devices are\nnot physically connected to the network." The Managing Director\ngoes on to state that "since the devices are kept in inventory\nfor contingency use, AMD-IM has coordinated an effort to take\nprecautionary measures and now require a password for future use\nof the devices."\n\nWith respect to our finding that dynamic userid/password files\ncreated by GroupWise can be recovered using Norton Utilities, the\nManaging Director explains that "the threat is minimized by the\nfact that successfully hacking one computer will only allow\naccess to the last GroupWise e-mail account accessed from that\ncomputer." Furthermore, the Managing Director points out that\n"to accomplish such a break-in, a person would require physical\naccess to the space where a computer is located."\n\n\n\n\n                               12\n\x0c'